/*
 * chap-new.c - New CHAP implementation.
 *
 * Copyright (c) 2003 Paul Mackerras. All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 *
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer.
 *
 * 2. The name(s) of the authors of this software must not be used to
 *    endorse or promote products derived from this software without
 *    prior written permission.
 *
 * 3. Redistributions of any form whatsoever must retain the following
 *    acknowledgment:
 *    "This product includes software developed by Paul Mackerras
 *     <paulus@samba.org>".
 *
 * THE AUTHORS OF THIS SOFTWARE DISCLAIM ALL WARRANTIES WITH REGARD TO
 * THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
 * AND FITNESS, IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY
 * SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN
 * AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING
 * OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 */

#include "netif/ppp/ppp_opts.h"
#if PPP_SUPPORT && CHAP_SUPPORT  /* don't build if not configured for use in lwipopts.h */

#if 0 /* UNUSED */
	#include <stdlib.h>
	#include <string.h>
#endif /* UNUSED */

#include "netif/ppp/ppp_impl.h"

#if 0 /* UNUSED */
	#include "session.h"
#endif /* UNUSED */

#include "netif/ppp/chap-new.h"
#include "netif/ppp/chap-md5.h"
#if MSCHAP_SUPPORT
	#include "netif/ppp/chap_ms.h"
#endif
#include "netif/ppp/magic.h"

#if 0 /* UNUSED */
/* Hook for a plugin to validate CHAP challenge */
int (*chap_verify_hook)(const char* name, const char* ourname, int id,
                        const struct chap_digest_type* digest,
                        const unsigned char* challenge, const unsigned char* response,
                        char* message, int message_space) = NULL;
#endif /* UNUSED */

#if PPP_OPTIONS
/*
 * Command-line options.
 */
static option_t chap_option_list[] = {
	{
		"chap-restart", o_int, &chap_timeout_time,
		"Set timeout for CHAP", OPT_PRIO
	},
	{
		"chap-max-challenge", o_int, &pcb->settings.chap_max_transmits,
		"Set max #xmits for challenge", OPT_PRIO
	},
	{
		"chap-interval", o_int, &pcb->settings.chap_rechallenge_time,
		"Set interval for rechallenge", OPT_PRIO
	},
	{ NULL }
};
#endif /* PPP_OPTIONS */


/* Values for flags in chap_client_state and chap_server_state */
#define LOWERUP			1
#define AUTH_STARTED		2
#define AUTH_DONE		4
#define AUTH_FAILED		8
#define TIMEOUT_PENDING		0x10
#define CHALLENGE_VALID		0x20

/*
 * Prototypes.
 */
static void chap_init(ppp_pcb* pcb);
static void chap_lowerup(ppp_pcb* pcb);
static void chap_lowerdown(ppp_pcb* pcb);
#if PPP_SERVER
static void chap_timeout(void* arg);
static void chap_generate_challenge(ppp_pcb* pcb);
static void chap_handle_response(ppp_pcb* pcb, int code,
                                 unsigned char* pkt, int len);
static int chap_verify_response(ppp_pcb* pcb, const char* name, const char* ourname, int id,
                                const struct chap_digest_type* digest,
                                const unsigned char* challenge, const unsigned char* response,
                                char* message, int message_space);
#endif /* PPP_SERVER */
static void chap_respond(ppp_pcb* pcb, int id,
                         unsigned char* pkt, int len);
static void chap_handle_status(ppp_pcb* pcb, int code, int id,
                               unsigned char* pkt, int len);
static void chap_protrej(ppp_pcb* pcb);
static void chap_input(ppp_pcb* pcb, unsigned char* pkt, int pktlen);
#if PRINTPKT_SUPPORT
static int chap_print_pkt(const unsigned char* p, int plen,
                          void (*printer)(void*, const char*, ...), void* arg);
#endif /* PRINTPKT_SUPPORT */

/* List of digest types that we know about */
static const struct chap_digest_type* const chap_digests[] = {
	&md5_digest,
#if MSCHAP_SUPPORT
	& chapms_digest,
	&chapms2_digest,
#endif /* MSCHAP_SUPPORT */
	NULL
};

/*
 * chap_init - reset to initial state.
 */
static void chap_init(ppp_pcb* pcb)
{
	LWIP_UNUSED_ARG(pcb);

#if 0 /* Not necessary, everything is cleared in ppp_new() */
	memset(&pcb->chap_client, 0, sizeof(chap_client_state));
#if PPP_SERVER
	memset(&pcb->chap_server, 0, sizeof(chap_server_state));
#endif /* PPP_SERVER */
#endif /* 0 */
}

/*
 * chap_lowerup - we can start doing stuff now.
 */
static void chap_lowerup(ppp_pcb* pcb)
{

	pcb->chap_client.flags |= LOWERUP;
#if PPP_SERVER
	pcb->chap_server.flags |= LOWERUP;

	if(pcb->chap_server.flags & AUTH_STARTED)
		chap_timeout(pcb);

#endif /* PPP_SERVER */
}

static void chap_lowerdown(ppp_pcb* pcb)
{

	pcb->chap_client.flags = 0;
#if PPP_SERVER

	if(pcb->chap_server.flags & TIMEOUT_PENDING)
		UNTIMEOUT(chap_timeout, pcb);

	pcb->chap_server.flags = 0;
#endif /* PPP_SERVER */
}

#if PPP_SERVER
/*
 * chap_auth_peer - Start authenticating the peer.
 * If the lower layer is already up, we start sending challenges,
 * otherwise we wait for the lower layer to come up.
 */
void chap_auth_peer(ppp_pcb* pcb, const char* our_name, int digest_code)
{
	const struct chap_digest_type* dp;
	int i;

	if(pcb->chap_server.flags & AUTH_STARTED) {
		ppp_error("CHAP: peer authentication already started!");
		return;
	}

	for(i = 0; (dp = chap_digests[i]) != NULL; ++i)
		if(dp->code == digest_code)
			break;

	if(dp == NULL)
		ppp_fatal("CHAP digest 0x%x requested but not available",
		          digest_code);

	pcb->chap_server.digest = dp;
	pcb->chap_server.name = our_name;
	/* Start with a random ID value */
	pcb->chap_server.id = magic();
	pcb->chap_server.flags |= AUTH_STARTED;

	if(pcb->chap_server.flags & LOWERUP)
		chap_timeout(pcb);
}
#endif /* PPP_SERVER */

/*
 * chap_auth_with_peer - Prepare to authenticate ourselves to the peer.
 * There isn't much to do until we receive a challenge.
 */
void chap_auth_with_peer(ppp_pcb* pcb, const char* our_name, int digest_code)
{
	const struct chap_digest_type* dp;
	int i;

	if(NULL == our_name)
		return;

	if(pcb->chap_client.flags & AUTH_STARTED) {
		ppp_error("CHAP: authentication with peer already started!");
		return;
	}

	for(i = 0; (dp = chap_digests[i]) != NULL; ++i)
		if(dp->code == digest_code)
			break;

	if(dp == NULL)
		ppp_fatal("CHAP digest 0x%x requested but not available",
		          digest_code);

	pcb->chap_client.digest = dp;
	pcb->chap_client.name = our_name;
	pcb->chap_client.flags |= AUTH_STARTED;
}

#if PPP_SERVER
/*
 * chap_timeout - It's time to send another challenge to the peer.
 * This could be either a retransmission of a previous challenge,
 * or a new challenge to start re-authentication.
 */
static void chap_timeout(void* arg)
{
	ppp_pcb* pcb = (ppp_pcb*)arg;
	struct pbuf* p;

	pcb->chap_server.flags &= ~TIMEOUT_PENDING;

	if((pcb->chap_server.flags & CHALLENGE_VALID) == 0) {
		pcb->chap_server.challenge_xmits = 0;
		chap_generate_challenge(pcb);
		pcb->chap_server.flags |= CHALLENGE_VALID;
	} else if(pcb->chap_server.challenge_xmits >= pcb->settings.chap_max_transmits) {
		pcb->chap_server.flags &= ~CHALLENGE_VALID;
		pcb->chap_server.flags |= AUTH_DONE | AUTH_FAILED;
		auth_peer_fail(pcb, PPP_CHAP);
		return;
	}

	p = pbuf_alloc(PBUF_RAW, (u16_t)(pcb->chap_server.challenge_pktlen), PPP_CTRL_PBUF_TYPE);

	if(NULL == p)
		return;

	if(p->tot_len != p->len) {
		pbuf_free(p);
		return;
	}

	MEMCPY(p->payload, pcb->chap_server.challenge, pcb->chap_server.challenge_pktlen);
	ppp_write(pcb, p);
	++pcb->chap_server.challenge_xmits;
	pcb->chap_server.flags |= TIMEOUT_PENDING;
	TIMEOUT(chap_timeout, arg, pcb->settings.chap_timeout_time);
}

/*
 * chap_generate_challenge - generate a challenge string and format
 * the challenge packet in pcb->chap_server.challenge_pkt.
 */
static void chap_generate_challenge(ppp_pcb* pcb)
{
	int clen = 1, nlen, len;
	unsigned char* p;

	p = pcb->chap_server.challenge;
	MAKEHEADER(p, PPP_CHAP);
	p += CHAP_HDRLEN;
	pcb->chap_server.digest->generate_challenge(pcb, p);
	clen = *p;
	nlen = strlen(pcb->chap_server.name);
	memcpy(p + 1 + clen, pcb->chap_server.name, nlen);

	len = CHAP_HDRLEN + 1 + clen + nlen;
	pcb->chap_server.challenge_pktlen = PPP_HDRLEN + len;

	p = pcb->chap_server.challenge + PPP_HDRLEN;
	p[0] = CHAP_CHALLENGE;
	p[1] = ++pcb->chap_server.id;
	p[2] = len >> 8;
	p[3] = len;
}

/*
 * chap_handle_response - check the response to our challenge.
 */
static void  chap_handle_response(ppp_pcb* pcb, int id,
                                  unsigned char* pkt, int len)
{
	int response_len, ok, mlen;
	const unsigned char* response;
	unsigned char* outp;
	struct pbuf* p;
	const char* name = NULL;	/* initialized to shut gcc up */
#if 0 /* UNUSED */
	int (*verifier)(const char*, const char*, int, const struct chap_digest_type*,
	                const unsigned char*, const unsigned char*, char*, int);
#endif /* UNUSED */
	char rname[MAXNAMELEN + 1];
	char message[256];

	if((pcb->chap_server.flags & LOWERUP) == 0)
		return;

	if(id != pcb->chap_server.challenge[PPP_HDRLEN + 1] || len < 2)
		return;

	if(pcb->chap_server.flags & CHALLENGE_VALID) {
		response = pkt;
		GETCHAR(response_len, pkt);
		len -= response_len + 1;	/* length of name */
		name = (char*)pkt + response_len;

		if(len < 0)
			return;

		if(pcb->chap_server.flags & TIMEOUT_PENDING) {
			pcb->chap_server.flags &= ~TIMEOUT_PENDING;
			UNTIMEOUT(chap_timeout, pcb);
		}

#if PPP_REMOTENAME

		if(pcb->settings.explicit_remote) {
			name = pcb->remote_name;
		} else
#endif /* PPP_REMOTENAME */
		{
			/* Null terminate and clean remote name. */
			ppp_slprintf(rname, sizeof(rname), "%.*v", len, name);
			name = rname;
		}

#if 0 /* UNUSED */

		if(chap_verify_hook)
			verifier = chap_verify_hook;
		else
			verifier = chap_verify_response;

		ok = (*verifier)(name, pcb->chap_server.name, id, pcb->chap_server.digest,
		                 pcb->chap_server.challenge + PPP_HDRLEN + CHAP_HDRLEN,
		                 response, pcb->chap_server.message, sizeof(pcb->chap_server.message));
#endif /* UNUSED */
		ok = chap_verify_response(pcb, name, pcb->chap_server.name, id, pcb->chap_server.digest,
		                          pcb->chap_server.challenge + PPP_HDRLEN + CHAP_HDRLEN,
		                          response, message, sizeof(message));
#if 0 /* UNUSED */

		if(!ok || !auth_number()) {
#endif /* UNUSED */

			if(!ok) {
				pcb->chap_server.flags |= AUTH_FAILED;
				ppp_warn("Peer %q failed CHAP authentication", name);
			}
		} else if((pcb->chap_server.flags & AUTH_DONE) == 0)
			return;

		/* send the response */
		mlen = strlen(message);
		len = CHAP_HDRLEN + mlen;
		p = pbuf_alloc(PBUF_RAW, (u16_t)(PPP_HDRLEN + len), PPP_CTRL_PBUF_TYPE);

		if(NULL == p)
			return;

		if(p->tot_len != p->len) {
			pbuf_free(p);
			return;
		}

		outp = (unsigned char*)p->payload;
		MAKEHEADER(outp, PPP_CHAP);

		outp[0] = (pcb->chap_server.flags & AUTH_FAILED) ? CHAP_FAILURE : CHAP_SUCCESS;
		outp[1] = id;
		outp[2] = len >> 8;
		outp[3] = len;

		if(mlen > 0)
			memcpy(outp + CHAP_HDRLEN, message, mlen);

		ppp_write(pcb, p);

		if(pcb->chap_server.flags & CHALLENGE_VALID) {
			pcb->chap_server.flags &= ~CHALLENGE_VALID;

			if(!(pcb->chap_server.flags & AUTH_DONE) && !(pcb->chap_server.flags & AUTH_FAILED)) {

#if 0 /* UNUSED */

				/*
				 * Auth is OK, so now we need to check session restrictions
				 * to ensure everything is OK, but only if we used a
				 * plugin, and only if we're configured to check.  This
				 * allows us to do PAM checks on PPP servers that
				 * authenticate against ActiveDirectory, and use AD for
				 * account info (like when using Winbind integrated with
				 * PAM).
				 */
				if(session_mgmt &&
				        session_check(name, NULL, devnam, NULL) == 0) {
					pcb->chap_server.flags |= AUTH_FAILED;
					ppp_warn("Peer %q failed CHAP Session verification", name);
				}

#endif /* UNUSED */

			}

			if(pcb->chap_server.flags & AUTH_FAILED) {
				auth_peer_fail(pcb, PPP_CHAP);
			} else {
				if((pcb->chap_server.flags & AUTH_DONE) == 0)
					auth_peer_success(pcb, PPP_CHAP,
					                  pcb->chap_server.digest->code,
					                  name, strlen(name));

				if(pcb->settings.chap_rechallenge_time) {
					pcb->chap_server.flags |= TIMEOUT_PENDING;
					TIMEOUT(chap_timeout, pcb,
					        pcb->settings.chap_rechallenge_time);
				}
			}

			pcb->chap_server.flags |= AUTH_DONE;
		}
	}

	/*
	 * chap_verify_response - check whether the peer's response matches
	 * what we think it should be.  Returns 1 if it does (authentication
	 * succeeded), or 0 if it doesn't.
	 */
	static int chap_verify_response(ppp_pcb * pcb, const char* name, const char* ourname, int id,
	                                const struct chap_digest_type * digest,
	                                const unsigned char* challenge, const unsigned char* response,
	                                char* message, int message_space) {
		int ok;
		unsigned char secret[MAXSECRETLEN];
		int secret_len;

		/* Get the secret that the peer is supposed to know */
		if(!get_secret(pcb, name, ourname, (char*)secret, &secret_len, 1)) {
			ppp_error("No CHAP secret found for authenticating %q", name);
			return 0;
		}

		ok = digest->verify_response(pcb, id, name, secret, secret_len, challenge,
		                             response, message, message_space);
		memset(secret, 0, sizeof(secret));

		return ok;
	}
#endif /* PPP_SERVER */

	/*
	 * chap_respond - Generate and send a response to a challenge.
	 */
	static void chap_respond(ppp_pcb * pcb, int id,
	                         unsigned char* pkt, int len) {
		int clen, nlen;
		int secret_len;
		struct pbuf* p;
		u_char* outp;
		char rname[MAXNAMELEN + 1];
		char secret[MAXSECRETLEN + 1];

		p = pbuf_alloc(PBUF_RAW, (u16_t)(RESP_MAX_PKTLEN), PPP_CTRL_PBUF_TYPE);

		if(NULL == p)
			return;

		if(p->tot_len != p->len) {
			pbuf_free(p);
			return;
		}

		if((pcb->chap_client.flags & (LOWERUP | AUTH_STARTED)) != (LOWERUP | AUTH_STARTED))
			return;		/* not ready */

		if(len < 2 || len < pkt[0] + 1)
			return;		/* too short */

		clen = pkt[0];
		nlen = len - (clen + 1);

		/* Null terminate and clean remote name. */
		ppp_slprintf(rname, sizeof(rname), "%.*v", nlen, pkt + clen + 1);

#if PPP_REMOTENAME

		/* Microsoft doesn't send their name back in the PPP packet */
		if(pcb->settings.explicit_remote || (pcb->settings.remote_name[0] != 0 && rname[0] == 0))
			strlcpy(rname, pcb->settings.remote_name, sizeof(rname));

#endif /* PPP_REMOTENAME */

		/* get secret for authenticating ourselves with the specified host */
		if(!get_secret(pcb, pcb->chap_client.name, rname, secret, &secret_len, 0)) {
			secret_len = 0;	/* assume null secret if can't find one */
			ppp_warn("No CHAP secret found for authenticating us to %q", rname);
		}

		outp = (u_char*)p->payload;
		MAKEHEADER(outp, PPP_CHAP);
		outp += CHAP_HDRLEN;

		pcb->chap_client.digest->make_response(pcb, outp, id, pcb->chap_client.name, pkt,
		                                       secret, secret_len, pcb->chap_client.priv);
		memset(secret, 0, secret_len);

		clen = *outp;
		nlen = strlen(pcb->chap_client.name);
		memcpy(outp + clen + 1, pcb->chap_client.name, nlen);

		outp = (u_char*)p->payload + PPP_HDRLEN;
		len = CHAP_HDRLEN + clen + 1 + nlen;
		outp[0] = CHAP_RESPONSE;
		outp[1] = id;
		outp[2] = len >> 8;
		outp[3] = len;

		pbuf_realloc(p, PPP_HDRLEN + len);
		ppp_write(pcb, p);
	}

	static void chap_handle_status(ppp_pcb * pcb, int code, int id,
	                               unsigned char* pkt, int len) {
		const char* msg = NULL;
		LWIP_UNUSED_ARG(id);

		if((pcb->chap_client.flags & (AUTH_DONE | AUTH_STARTED | LOWERUP))
		        != (AUTH_STARTED | LOWERUP))
			return;

		pcb->chap_client.flags |= AUTH_DONE;

		if(code == CHAP_SUCCESS) {
			/* used for MS-CHAP v2 mutual auth, yuck */
			if(pcb->chap_client.digest->check_success != NULL) {
				if(!(*pcb->chap_client.digest->check_success)(pcb, pkt, len, pcb->chap_client.priv))
					code = CHAP_FAILURE;
			} else
				msg = "CHAP authentication succeeded";
		} else {
			if(pcb->chap_client.digest->handle_failure != NULL)
				(*pcb->chap_client.digest->handle_failure)(pcb, pkt, len);
			else
				msg = "CHAP authentication failed";
		}

		if(msg) {
			if(len > 0)
				ppp_info("%s: %.*v", msg, len, pkt);
			else
				ppp_info("%s", msg);
		}

		if(code == CHAP_SUCCESS)
			auth_withpeer_success(pcb, PPP_CHAP, pcb->chap_client.digest->code);
		else {
			pcb->chap_client.flags |= AUTH_FAILED;
			ppp_error("CHAP authentication failed");
			auth_withpeer_fail(pcb, PPP_CHAP);
		}
	}

	static void chap_input(ppp_pcb * pcb, unsigned char* pkt, int pktlen) {
		unsigned char code, id;
		int len;

		if(pktlen < CHAP_HDRLEN)
			return;

		GETCHAR(code, pkt);
		GETCHAR(id, pkt);
		GETSHORT(len, pkt);

		if(len < CHAP_HDRLEN || len > pktlen)
			return;

		len -= CHAP_HDRLEN;

		switch(code) {
			case CHAP_CHALLENGE:
				chap_respond(pcb, id, pkt, len);
				break;
#if PPP_SERVER

			case CHAP_RESPONSE:
				chap_handle_response(pcb, id, pkt, len);
				break;
#endif /* PPP_SERVER */

			case CHAP_FAILURE:
			case CHAP_SUCCESS:
				chap_handle_status(pcb, code, id, pkt, len);
				break;

			default:
				break;
		}
	}

	static void chap_protrej(ppp_pcb * pcb) {

#if PPP_SERVER

		if(pcb->chap_server.flags & TIMEOUT_PENDING) {
			pcb->chap_server.flags &= ~TIMEOUT_PENDING;
			UNTIMEOUT(chap_timeout, pcb);
		}

		if(pcb->chap_server.flags & AUTH_STARTED) {
			pcb->chap_server.flags = 0;
			auth_peer_fail(pcb, PPP_CHAP);
		}

#endif /* PPP_SERVER */

		if((pcb->chap_client.flags & (AUTH_STARTED | AUTH_DONE)) == AUTH_STARTED) {
			pcb->chap_client.flags &= ~AUTH_STARTED;
			ppp_error("CHAP authentication failed due to protocol-reject");
			auth_withpeer_fail(pcb, PPP_CHAP);
		}
	}

#if PRINTPKT_SUPPORT
	/*
	 * chap_print_pkt - print the contents of a CHAP packet.
	 */
	static const char* const chap_code_names[] = {
		"Challenge", "Response", "Success", "Failure"
	};

	static int chap_print_pkt(const unsigned char* p, int plen,
	                          void (*printer)(void*, const char*, ...), void* arg) {
		int code, id, len;
		int clen, nlen;
		unsigned char x;

		if(plen < CHAP_HDRLEN)
			return 0;

		GETCHAR(code, p);
		GETCHAR(id, p);
		GETSHORT(len, p);

		if(len < CHAP_HDRLEN || len > plen)
			return 0;

		if(code >= 1 && code <= (int)LWIP_ARRAYSIZE(chap_code_names))
			printer(arg, " %s", chap_code_names[code - 1]);
		else
			printer(arg, " code=0x%x", code);

		printer(arg, " id=0x%x", id);
		len -= CHAP_HDRLEN;

		switch(code) {
			case CHAP_CHALLENGE:
			case CHAP_RESPONSE:
				if(len < 1)
					break;

				clen = p[0];

				if(len < clen + 1)
					break;

				++p;
				nlen = len - clen - 1;
				printer(arg, " <");

				for(; clen > 0; --clen) {
					GETCHAR(x, p);
					printer(arg, "%.2x", x);
				}

				printer(arg, ">, name = ");
				ppp_print_string(p, nlen, printer, arg);
				break;

			case CHAP_FAILURE:
			case CHAP_SUCCESS:
				printer(arg, " ");
				ppp_print_string(p, len, printer, arg);
				break;

			default:
				for(clen = len; clen > 0; --clen) {
					GETCHAR(x, p);
					printer(arg, " %.2x", x);
				}

				/* no break */
		}

		return len + CHAP_HDRLEN;
	}
#endif /* PRINTPKT_SUPPORT */

	const struct protent chap_protent = {
		PPP_CHAP,
		chap_init,
		chap_input,
		chap_protrej,
		chap_lowerup,
		chap_lowerdown,
		NULL,		/* open */
		NULL,		/* close */
#if PRINTPKT_SUPPORT
		chap_print_pkt,
#endif /* PRINTPKT_SUPPORT */
#if PPP_DATAINPUT
		NULL,		/* datainput */
#endif /* PPP_DATAINPUT */
#if PRINTPKT_SUPPORT
		"CHAP",		/* name */
		NULL,		/* data_name */
#endif /* PRINTPKT_SUPPORT */
#if PPP_OPTIONS
		chap_option_list,
		NULL,		/* check_options */
#endif /* PPP_OPTIONS */
#if DEMAND_SUPPORT
		NULL,
		NULL
#endif /* DEMAND_SUPPORT */
	};

#endif /* PPP_SUPPORT && CHAP_SUPPORT */
